Failing to authenticate using SSH keys through PAM --- Error PAM-CM-1341: Failed to establish a communications channel to the remote host.
search cancel

Failing to authenticate using SSH keys through PAM --- Error PAM-CM-1341: Failed to establish a communications channel to the remote host.

book

Article ID: 254365

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Multiple Linux hosts (~24) are failing to authenticate using SSH keys through PAM with error "PAM-CM-1341: Failed to establish a communications channel to the remote host" while logon using the same public key works fine directly from a Linux host.

Environment

Release : 4.0.X / 4.1.X

Cause

Encoding the private key with Base64 then using it in the password field is required

Resolution

Customer  updated (using the command line) all of the sshkey target accounts that previously failed to authenticate posing the error PAM-CM-1341 on authentication.  Post this update via the command line, all the target accounts authenticated successfully.

The command line parameters are as shown below (the way it appears in PowerShell using variables):

ArgumentList = @("-cp $LIBS $SSL_OPTION com.cloakware.cspm.server.ui.CommandLineInterface cspmHostName=$capam adminUserID=$username adminPassword=$password cmdName=updateTargetAccount TargetAccount.ID=$targetAccountID TargetServer.hostName=$targetHostName TargetApplication.name=$targetAppName TargetAccount.userName=$targetAccountName Attribute.passwordViewPolicyId=$AttributepasswordViewPolicyId TargetAccount.password=$targetAccountPassword Attribute.protocol=$Attributeprotocol ""Attribute.publicKey=$AttributepublicKey"" Attribute.passwordChangeMethod=$AttributepasswordChangeMethod Attribute.useOtherAccountToChangePassword=$AttributeuseOtherAccountToChangePassword TargetAccount.privileged=true TargetAccount.synchronize=$TargetAccountsynchronize Attribute.passphrase=$Attributepassphrase passwordIsBase64Encoded=$passwordIsBase64Encoded")

Key definitions:
$passwordIsBase64Encoded = "true"

$TargetAccountsynchronize = "true"

$targetAccountPassword = "Long string (no line feeds) from contents of Base64 Encoded Private Key PEM File"

$AttributepublicKey = "ssh-rsa " + "$PUBLIC_KEY_STRING" + " "

$AttributepasswordViewPolicyId = """"""

The two significant changes to the command line that the  customer used were encoding the private key with Base64 then using it in the password field and changing the PVP to Default.

Additional Information

None.

Powered by Wolken Software